TechSectors: The Bare Fax

The HIPAA Risk That Lurks in the Shadows

For many of us, Halloween brings the annual trip to the haunted house. We walk through carefully, taking precautions to steel ourselves against the many ghouls and goblins (usually local teens with a mean streak) hidden everywhere. But no matter how hard we try to prepare, sooner or later something or someone jumps out at us suddenly, and we find that we weren’t quite as ready for it as we thought. Th is is what we call fun.

The healthcare world has its own version of this scenario with the fax. Only this one is a lot scarier. When it comes to the security of information required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), private information sent via fax could be a gremlin lurking in the shadows. Most of the work that has been done to meet HIPAA requirements has focused on improving internal security protocols and encryption or other protection of electronic data and e-mail, making sure patient information is locked up tight. Faxing was largely ignored, because it was considered an outdated technology.

Yet, the reality of day-to-day healthcare operations is that many providers still use handwritten charts. When those charts need to be transmitted to a consulting provider, an insurance company, or even between offices, fax is the communication medium of choice. The primary security risk in traditional, machine-based faxing is that it creates a very public view of very private documents. Faxes are usually loaded onto machines sitting in public areas, where they remain (often unattended) until transmission is completed.

On the other end, the most likely scenario is that it is again received on a fax machine in a public area, where it sits until someone delivers it. In the meantime, anyone in the organization can walk by and read this confidential information, or even make a copy of it. There could be a significant delay until it is sorted and delivered; or, it could be delivered to the wrong person, creating an unintentional HIPAA violation.

There is a way, however, to bring faxing into HIPAA compliance: Internet faxing. With this technology, there are two confidential ways to send and receive faxes—direct from the user’s e-mail account, which is as secure as any other e-mail, or via a secure server. With the latter method, after logging in, users are able to view the fax and/or download it to their computer. This same method can be used in reverse to send a fax, leaving no trace of the original fax in a mail server “sent” fi le. Th e secure server method provides the ultimate in HIPAA-compliant security for the most sensitive documents, especially if the service uses 128-bit encryption and Secure Sockets Layer (SSL) when transmitting and receiving documents.

Operationally, Internet faxing appears the same as a traditional fax to the person on the other end. Th e user has a telephone number, often toll-free, that can be called from any fax machine in the world. Faxes can be sent either to a standard fax machine or directly to the person on the other end if he/she also is using an Internet fax service. Despite the prevailing wisdom, faxing is still a critical component within the healthcare industry. As such, information transmitted via fax runs the same risks of HIPAA violation as any other data. Instead of allowing faxes to lurk in the shadows, Internet fax services help security managers bring the fax portion of their operations up to the same standards they are using for other forms of communication. If HIPAA compliance falls under your purview, secure faxing should definitely be on your radar screen. To learn more about Internet faxing, view the demos.

Steve Adams is Vice President of Marketing for MyFax, a provider of Internet faxing services for individual home users, small businesses, and large corporations. MyFax has won a number of awards in head-to-head competitions for ease of use, reliability, and best overall value. Adams can be contacted at sadams@protus.com.